Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access Key Vault from local Service Fabric cluster with MSI

Tags:

azure

azure-service-fabric

azure-keyvault

azure-managed-identity

I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.

As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster. I assume it is because a local cluster runs under the NETWORK SERVICE account.

How can I access the Key Vault from my local cluster with MSI?

like image 351
Mikko Avatar asked Apr 16 '18 14:04

Mikko

1 Answers

I am assuming you are using the Microsoft.Azure.Services.AppAuthentication library to get a token using MSI to authenticate to Key Vault, and this is working on Azure. If so, you can run the same exact code on local development environment. The library will automatically switch to using MSI on Azure. You can find documentation here

Note: Local development for MSI scenarios is much easier when developing applications that run under the current user, e.g. App Services. In such cases you can use Azure CLI/ Visual Studio account for local development. You do not need to create a separate service principal. Azure CLI/ Visual Studio do not work for Service Fabric local development, since local cluster runs under Network Service account.

For Service Fabric scenarios, please follow these steps:

  1. Create a service principal and give access to Key Vault. You have two options. Certificate is better w.r.t security, but slightly harder to do.

    Option 1: Create a service principal with a certificate. Make sure you give Network Service account or whatever account is used to run fabric locally access to the certificate. Refer for details on how to give access.

    OR

    Option 2: Create a service principal with a password

  2. Create an environment variable called “AzureServicesAuthConnectionString”. Refer this on creating environment variables for service fabric.

    If using certificate, set "AzureServicesAuthConnectionString" to

    RunAs=App;AppId={AppId};TenantId={TenantId};CertificateThumbprint= {Thumbprint};CertificateStoreLocation={LocalMachine or CurrentUser}

    If using password, set "AzureServicesAuthConnectionString" to

    RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}

If above steps do not work, please post the error you get.

like image 88
Varun Sharma Avatar answered Nov 16 '22 12:11

Varun Sharma
Sign in to Comment

Related questions

How to run Azure 2.2 project after installing Azure SDK 2.5
Intermittent Connection Timeout in Azure SQL on AJAX Request
Role instance name is not valid while restarting the VM
CosmosDB - DocumentDB - Bulk insert without saturating collection RU
Does Hive have a dynamic pivot function
Azure Resource Group Stuck in "Moving Resources"
docker build fails on a cloud VM
Using Azure Active Directory OAuth with Identity Model in ASP.NET Core 2.0
Can Azure run WPF?
Automating deployment of .Net Web App to Azure & SQL Azure & Azure Blobs
Manage my Azure Cloud Services using native C# API?
Azure map drive system error 53 has occurred
Virus Scanning Uploaded files from Azure Web/Worker Role
Predicting a users next action based on current day and time
How can I show all work items in azure devops work items screen
Chrome memory issue - File API + AngularJS
How to 'Grant Permissions' Using Azure Active Directory PowerShell V2
How to remove Zoom Button From Azure B2C in Xamarin Forms

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!